The Stagefright exploit, which allowed for malicious code to be embedded in files on your device, is now very real in the form of Metaphor. Developed by software research company NorthBit, Metaphor is their implementation of exploits to the Stagefright library, and when executed, can access and control data on your device.

What Metaphor Does

Android devices running 2.2 to 4.0 as well as 5.0/5.1 are potentially vulnerable. While testing Metaphor, NorthBit found that the exploit works on the Nexus 5, HTC One, LG G3, and Samsung Galaxy S5. There's no reason to believe it won't work on other phones as well. According to NorthBit, it was easiest to hack Google's Nexus 5, which they were able to exploit in 15 seconds.

Stagefright's vulnerability is exploited by a malicious media file placed on a seemingly safe website. When you visit the site, the file crashes Android's media library and, when it restarts, JavaScript on the page begins sending your device's information back to the attacker's server.

When the server receives that data, a custom video file is generated and injected into the webpage. The video fully exploits Stagefright's vulnerability and allows the server to send malware to your phone in the form of another video file.

It can take anywhere from 15 seconds to a couple minutes for all of this to happen. Attackers need you to remain on the site for a little while, which makes this attack more insidious, as you can be tricked into thinking the site is safe. I think we can all admit we've scrolled through pages upon pages of cat pictures for more than 15 seconds at a time.

How to Stay Safe

Hackers have either already found this vulnerability or may now exploit it due to NorthBit's research, so you do need to make sure your device is protected.

Personal responsibility is key when it comes to avoiding a Metaphor attack. The only way your device can become infected is if you click on a bad link, and you can often avoid making that mistake just by seeing where the link came from. When on a webpage or in an email, long-press on any hyperlink to view its URL. If a URL looks suspicious for any reason, avoid it.

Google should release a patch to address Metaphor shortly, but it could be a while before some devices receive it if they're tied to a carrier's update policy. Nexus devices will receive a patch directly from Google, either as a one-off fix or as part of a monthly security update.